#!/bin/bash -x

step=${1:-1}

LOCAL_REGISTRY="AAAAAAAAAAAAAAAAAAAAAAAAA"
your_image="BBBBBBBBBBBBBBBBBBBBBBBBB"
your_decrypted_image="CCCCCCCCCCCCCCCCCCCCCCCCCCC"
your_encrypted_image="DDDDDDDDDDDDDDDDDDDDDDDDDDD"
your_coco_keyprovider_image="${LOCAL_REGISTRY}/coco-keyprovider:v0.10.0"

pushd $HOME/workspace/CoCo/deployment/samples

export confidential_string="test image's encryption secret"
export skopeo_bin=$(which skopeo)

export kbs_namespace="trustee-operator-system"
export kbs_deploy="trustee-deployment"
export kbs_pod_ip_addr="$(kubectl get pods -n $kbs_namespace -o wide | \
  grep $kbs_deploy | \
  sed "s/^.* \([0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\) .*$/\1/g")"
export kbs_resource_dir="/opt/confidential-containers/kbs/repository"

export pod_yaml=encryption.yaml
export pod_name="nginx"
export pod_runtimeclass="kata-qemu-csv3"
export pod_container_image_decrypted="${your_decrypted_image}"
export pod_container_image_encrypted="${your_encrypted_image}"

export UNENCRYPTED_IMAGE="${pod_container_image_decrypted}"
export ENCRYPTED_IMAGE="${pod_container_image_encrypted}"

export coco_keyprovider_image="${your_coco_keyprovider_image}"

export KBS_KEY_FILE="image_key"
if [ ! -e $KBS_KEY_FILE ]; then
  head -c 32 /dev/urandom | openssl enc > "$KBS_KEY_FILE"
fi
export KBS_KEY_B64="$(base64 < $KBS_KEY_FILE)"

export KBS_KEY_PATH="/default/image_key/$pod_name"
export KBS_KEY_ID="kbs://${KBS_KEY_PATH}"

# upload secret key to KBS
if [ $step -eq 1 ]; then
  kubectl exec deploy/$kbs_deploy -n $kbs_namespace -c kbs \
    -- mkdir -p "$kbs_resource_dir/$(dirname "$KBS_KEY_PATH")"
  cat "$KBS_KEY_FILE" | \
    kubectl exec -i deploy/$kbs_deploy -n $kbs_namespace -c kbs \
      -- tee "$kbs_resource_dir/${KBS_KEY_PATH}" > /dev/null
fi

# build a decrypted version
if [ $step -eq 2 ]; then
  sudo docker build \
    --build-arg HTTPS_PROXY="$https_proxy" \
    --build-arg HTTP_PROXY="$http_proxy" \
    -t $UNENCRYPTED_IMAGE - <<EOF
FROM ${your_image}
RUN echo "$confidential_string" > /secret
EOF
fi

# build a encrypted version
if [ $step -eq 3 ]; then
  sudo rm -rf oci/{input,output} || true
  mkdir -p oci/{input,output}
  $skopeo_bin copy docker-daemon:$UNENCRYPTED_IMAGE dir:./oci/input
  docker run \
    -v "${PWD}/oci:/oci" \
    $coco_keyprovider_image \
    /encrypt.sh \
    -k "$KBS_KEY_B64" \
    -i "$KBS_KEY_ID" \
    -s dir:/oci/input -d dir:/oci/output
  $skopeo_bin inspect dir:./oci/output | jq \
    '.LayersData[0].Annotations["org.opencontainers.image.enc.keys.provider.attestation-agent"] | @base64d | fromjson'
fi

# push encrypted image
if [ $step -eq 4 ]; then
  $skopeo_bin copy dir:./oci/output "docker://${ENCRYPTED_IMAGE}"
fi

# setup pod yaml
if [ $step -eq 5 ]; then
  cp $pod_yaml.template $pod_yaml
  sed -i "s!MARK_POD_NAME!$pod_name!g" $pod_yaml
  sed -i "s!MARK_KBS_POD_IP_ADDR!$kbs_pod_ip_addr!g" $pod_yaml
  sed -i "s!MARK_POD_RUNTIMECLASS!$pod_runtimeclass!g" $pod_yaml
  sed -i "s!MARK_POD_CONTAINER_IMAGE_ENCRYPTED!$pod_container_image_encrypted!g" $pod_yaml  
fi

# create coco pod
if [ $step -eq 6 ]; then
  kubectl apply -f $pod_yaml
fi

popd
